Study: Why phishing works

BOSTON (4/19/06)--Harvard University and University of California Berkeley researchers analyzed why the use of look-alike sites and urgent e-mails are so effective in tricking consumers into giving their personal information. Despite widespread public warnings about the dangers of phishing, consumers tend not to look for clues that help distinguish real sites from fake ones (Harvard University April 2006).

Phishing is a type of fraud that directs computer users to bogus websites. About two million users gave information to bogus websites resulting in direct losses of $1.2 billion for financial institutions and card issuers in 2003. Gartner Research (June 22, 2005) found that the number of phishing attack e-mail recipients grew 28% by mid-2005, based on a survey of 5,000 online U.S. consumers.

After conducting tests on a small sample of users, researchers found that most users were unable to distinguish fake from legitimate e-mails. Nearly a quarter of subjects in the study didn't look at the address bar, status bar, or other security indicators on the fraudulent sites. Phishers exploit the fact that some users don't understand the meaning or syntax of domain names and therefore can't distinguish legitimate URLs from fraudulent ones. When presented with, many users mistakenly believed the URL belongs to

Many computer users don't have the skills to distinguish forged from legitimate headers, and they don't know that a closed padlock icon in the browser indicates that the page they're viewing was delivered securely by SSL. More specifically, many users don't know that legitimate padlock icons must appear in the area around the web page; phishers can arbitrarily place the icon in the content of the web page to make you think the site is legitimate.

Users often are fooled by substitute letters that often go unnoticed (for example, using a lowercase "i" which looks similar to the letter "I", or using the number "1" for the letter "I"). And, while images and logos may be copied perfectly, many users don't know to look for misspellings or other signs of unprofessional design. In one carefully spoofed e-mail, researchers used (with a double "v" instead of "w"), inserted a padlock in the content, spoofed the VeriSign logo and certificate validation seal, and added a pop-up consumer security alert. Despite multiple opportunities to catch the phish, 91% or participants mistakenly guessed it was legitimate.

The Federal Trade Commission and the Anti-Phishing Working Group offer the following additional tips:


  • Use anti-virus software and a firewall, and keep them up to date. They can protect you from inadvertently accepting fraudulent files. Download free software patches if your browser offers them.



  • Never give personal or financial information in e-mail messages. E-mail isn't a secure method of transmitting personal information.



  • If you want to provide personal or financial information through an organization's website, look for a padlock icon on the browser's status bar (not in the content of the Web page), or a URL that begins "https."



  • Check all statements for unauthorized charges.



  • Be careful about opening attachments or downloading files from e-mail messages; these files may contain viruses or software that can weaken your computer's security.
Forward fraudulent e-mails to the credit union, company, or organization impersonated in the phishing e-mail. If you think you've been a victim of phishing, file a complaint at and then visit the Federal Trade Commission's Identity Theft website at